IoCs, TTPs & MITRE ATT&CK

Indicators of Compromise (IoCs)

Indicators of Compromise are pieces of forensic evidence that suggest a system or network has been breached. They are the artifacts left behind by an attacker — the digital equivalent of fingerprints at a crime scene. IoCs are the most commonly shared form of threat intelligence because they are easy to extract and can be directly fed into security tools.

IoC Types

IoC Type	Examples	Where Found
IP Addresses	185.220.101.47, Tor exit nodes, known C2 IPs	Firewall logs, NetFlow, threat feeds
Domain Names	malicious-update.xyz, dga-generated.net	DNS logs, proxy logs, threat feeds
URLs	http://bad.site/payload.exe, phishing URLs	Proxy logs, email headers, threat feeds
File Hashes (MD5)	d41d8cd98f00b204e9800998ecf8427e	EDR telemetry, AV scans, sandbox reports
File Hashes (SHA256)	e3b0c44298fc1c149afbf4c8996fb92427ae41e4...	More reliable than MD5; collision-resistant
Email Addresses	sender@malicious.ru, phishing From address	Email security gateway logs
Registry Keys	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<malware>	EDR, forensic analysis
File Paths	C:\Users\Public\malware.exe, /tmp/.hidden_payload	EDR, SIEM host logs
Mutex Names	Global\{12345-abcd-...}	Memory forensics, sandbox analysis

IoC Decay

IoCs have a shelf life. IP addresses and domains used in attacks are rotated frequently — sometimes within hours. A file hash from a six-month- old incident may be completely irrelevant today as the attacker has recompiled the malware. TTPs (the top of the Pyramid of Pain) decay much more slowly — an adversary cannot easily change their fundamental methods.

The Pyramid of Pain

Proposed by David Bianco, the Pyramid of Pain describes the relative difficulty an adversary faces when you block different types of indicators. Indicators at the bottom are trivial for attackers to change. Indicators at the top are genuinely painful to change because they represent deeply embedded methods and tools.

Level	Indicator Type	Ease for Attacker to Change	Your Defensive Value
Bottom	Hash Values	Trivial (recompile, add a byte)	Low — only stops exact variant
↑	IP Addresses	Easy (rotate infrastructure)	Low — temporary nuisance
↑	Domain Names	Easy (register new domain)	Low to Medium — slows them slightly
↑	Network/Host Artifacts	Moderate (change C2 protocol parameters)	Medium — requires retooling
↑	Tools	Significant (develop or buy new tools)	High — disrupts operational capability
Top	TTPs (Tactics, Techniques, Procedures)	Very Difficult (change fundamental methodology)	Very High — forces complete retooling

Security programs that focus exclusively on blocking file hashes and IP addresses are playing a losing game — attackers change these in minutes. Mature programs focus on detecting TTPs: behavioral indicators that are hard to change because they reflect how an adversary fundamentally operates.

MITRE ATT&CK — Technique Deep Dive

Each ATT&CK Technique represents a specific method an adversary uses to accomplish a tactic. Techniques are identified by T-numbers; sub-techniques add a fourth digit (e.g., T1566.001 is Phishing: Spearphishing Attachment).

High-Value Techniques to Know

Technique ID	Name	Tactic	Description
T1566	Phishing	Initial Access	Email-based attack using malicious attachments or links to gain initial foothold
T1078	Valid Accounts	Multiple	Use stolen or default credentials to authenticate legitimately
T1055	Process Injection	Defense Evasion / Privilege Escalation	Inject malicious code into legitimate processes to hide execution
T1021	Remote Services	Lateral Movement	Use RDP, SSH, WMI to move laterally between systems
T1003	OS Credential Dumping	Credential Access	Extract credentials from LSASS, SAM, NTDS.dit
T1486	Data Encrypted for Impact	Impact	Ransomware — encrypt files and demand payment for decryption key
T1071	Application Layer Protocol	Command and Control	Use HTTP, HTTPS, DNS for C2 to blend with legitimate traffic
T1547	Boot or Logon Autostart Execution	Persistence	Registry run keys, startup folder, services for persistence

Using ATT&CK for Detection Engineering

→

Map your existing detection rules to ATT&CK techniques. Identify which techniques have zero detection coverage — these are your highest-priority detection gaps.

→

Use ATT&CK Navigator to visualize coverage as a heatmap. Green = covered, red = uncovered, yellow = partial coverage.

→

For each uncovered high-priority technique, identify what data sources you need (process events, network traffic, registry changes) and write detection logic.

STIX — Structured Threat Information eXpression

STIX is a standardized language for describing cyber threat information in a machine-readable format. It enables consistent, automated sharing of threat intelligence between different organizations and security tools.

STIX 2.1 Domain Objects (SDOs)

Indicator — a pattern that identifies potential malicious activity (e.g., a file hash, URL pattern, network traffic pattern)
Threat Actor — an entity attributed to threat activity with characteristics and motivation
Attack Pattern — a TTPs description, often linked to ATT&CK techniques
Malware — a specific malware family with properties and behaviors
Campaign — a grouping of related intrusion activity attributed to a common adversary objective
Course of Action — recommended response or mitigation action
Infrastructure — servers, domains, and other infrastructure used in attacks

TAXII — Intelligence Transport Protocol

TAXII (Trusted Automated eXchange of Intelligence Information) is the transport layer for STIX. It defines how STIX objects are exchanged between servers and clients. TAXII 2.1 is a REST API over HTTPS — any security tool with a TAXII client can pull threat intelligence from any TAXII server.

TAXII Server — hosts collections of threat intelligence; controls access
TAXII Client — subscribes to collections and receives updates automatically
Collection — a named group of STIX objects on a TAXII server
Push vs Pull — TAXII supports both push (server sends to client) and pull (client requests from server)

Threat Intelligence Platforms

Platform	Type	Key Features
MISP	Open source	IoC sharing, correlation, STIX/TAXII export, distributed sharing model
OpenCTI	Open source	STIX 2.1 native, ATT&CK mapping, graph visualization, connector ecosystem
ThreatConnect	Commercial	CTI lifecycle management, SOAR integration, intelligence-driven security operations
Recorded Future	Commercial	AI-driven intelligence, real-time dark web monitoring, risk scoring
VirusTotal	Freemium	File/URL/domain/IP reputation lookup; community reports and signatures

IoC Enrichment Workflow

When a suspicious IP, domain, or hash is identified in an alert: (1) Query VirusTotal for community reputation. (2) Query your TIP for matching IoCs and historical context. (3) Query Shodan/Censys for infrastructure fingerprint. (4) Check passive DNS for domains resolved to the IP. (5) Map any associated TTPs to ATT&CK. (6) Add enriched IoC to your SIEM and threat intel platform for correlation.

Previous Module Next Module